If there a security hardened / production ready binary distribution?

[Jim Sellers <ji...@gmail.com>]

Hi all.

Sorry if this has already been answered, but I couldn't find it.

I'm looking at using tomcat in a docker container and I was wondering why
there isn't a binary distribution that has most / all of the steps already
done from the security how to?
https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html

I understand that there wouldn't be a true one size fits all, but I rather
than get everyone to try to follow the same basic steps I thought that they
would be done upstream in the project.

If there's a reason why, I'm curious to learn what it is.

I've also opened a ticket with the official docker tomcat image project for
a tomcat that has this done.
https://github.com/docker-library/tomcat/issues/14

Thanks for your time.
Jim

Re: If there a security hardened / production ready binary distribution?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jim,

On 7/23/15 11:14 AM, Jim Sellers wrote:
> On Thu, Jul 23, 2015 at 10:50 AM, Mark Thomas <ma...@apache.org>
> wrote:
> 
>> On 23 July 2015 15:07:01 CEST, Jim Sellers
>> <ji...@gmail.com> wrote:
>>> Hi all.
>>> 
>>> Sorry if this has already been answered, but I couldn't find
>>> it.
>>> 
>>> I'm looking at using tomcat in a docker container and I was
>>> wondering why there isn't a binary distribution that has most /
>>> all of the steps already done from the security how to? 
>>> https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
>>> 
>>> I understand that there wouldn't be a true one size fits all,
>>> but I rather than get everyone to try to follow the same basic
>>> steps I thought that they would be done upstream in the
>>> project.
>>> 
>>> If there's a reason why, I'm curious to learn what it is.
>>> 
>>> I've also opened a ticket with the official docker tomcat image
>>> project for a tomcat that has this done. 
>>> https://github.com/docker-library/tomcat/issues/14
>>> 
>>> Thanks for your time. Jim
>> 
>> Which default settings do you expect to be changed?
>> 
>> Mark
> 
> 
> 
> I was thinking the parts from that document that say "should be" or
> "not intended for production". e.g. deleting the default apps

Beginners sometimes have a hard time getting things deployed, and the
examples application gives them some guidance. Going into production
is usually done by someone who has a little bit of a clue, and
removing a directory isn't terribly onerous.

The examples application should be "safe" to deploy, if a little silly
in a production environment. It certainly is an attack vector, but the
Tomcat team consider vulnerabilities in the examples web application
to be vulnerabilities in the product, and fix them accordingly.

The manager and host-manager applications require authentication and
no users are configured in the default distribution.

> disabling the version number

IMHO this is a completely useless change. The version number has said
"Apache-Coyote/1.1" pretty much forever, so you can't really learn
anything from that server string besides that the server is running
"Tomcat".

> , etc.

I'm interested in the "etc" here.

> I'm somewhat new to TC and was looking for distribution that was
> closer to the recommended TC production setup than the default
> one.
> 
> I was assuming that both would be available for download.

For our production deployments, we make the following changes from the
stock Tomcat distribution:

1. Separate CATALINA_BASE from CATALINA_HOME
   (Really, everyone who wants to use Tomcat for anything non-trivial
   should be doing this.)
   Note that this takes care of your "default applications" step above.

2. Add a localhost-only connector for local communication.

3. Front Apache Tomcat with Apache httpd.

Of those 3, none can reasonably be accomplished using a "distribution"
of Tomcat, because they are so environment-specific.

There was recently a discussion (I can't remember if it was on the
users' of dev list) about splitting CATALINA_HOME and CATALINA_BASE by
default, and it was determined that the installer would be hideously
complicated to handle those situations, and the non-installer-based
distributions (e.g. tarball and ZIP file) would not be able to support
it, anyway.

A default installation of Tomcat should be ready to go for production,
modulo any environment-specific modifications that only the user would
be able to determine.

If you have any suggestions for specific things that you think should
be done, please let us know.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVskvwAAoJEBzwKT+lPKRYnHkP/3ygVye1bH0iueEsk/H2tGkz
3efELHOck2WklxFvX5RJLh5zMkdRF1ckMzZdiM7TILbFM7RNzDtDZjQXIgirAPIE
2v0YZMdwXEjZz6v9rE9M3Se4RdkR5WTQizPV0p5Mjjyg8P1klEM8IqtWZ2VxIGYT
VhRt4kjoF/dUj6o2LdcD5yQHMUGI4ktUL+teQrqqh8Bor6az9PP/YZOlHgu0PR/J
q+R1k0bPChwXyuf3X0Epc88Yu9lM4unZzS7Y2x8GlzBl0P5cLG6jqwFlZAGlNZJT
Ift+yl0l2JF0vPdzWeZh637BeN4wcC4j5f5LFwaUOv3lLtwhQjp6UCsVEV3bCMNY
w6YRInTTKm833lloxs832xncuja2JxEiy03fcvhaEyELMHB2KI6D+N99aqzgzbpS
idMSoQ+8gTQPcg3XT6BtvXhEBKNEPZNHte0mVjQsIfSZ5OQxv7/BGdX48NebVez/
kv48ZnXSzaKtHyE0GxeGSYCB9R8NrCh45j3a+GFMpwwERWssolazjbtWrxZjFrBo
FB4+X2pCFcRYJC2TY78OErvQT7HPwLxMLGIiSDVTz09Gg8u2hY9auqlX13ynRoRj
zl6DJDH86Kqu4wLW8BLI27s0tiJUPebTiulRS4GJ2e8oZjQDY/dhCfF87tEL6Rjv
OAACVkof9X4cv8aleJPJ
=5ULf
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: If there a security hardened / production ready binary distribution?

[Jim Sellers <ji...@gmail.com>]

On Thu, Jul 23, 2015 at 10:50 AM, Mark Thomas <ma...@apache.org> wrote:

> On 23 July 2015 15:07:01 CEST, Jim Sellers <ji...@gmail.com> wrote:
> >Hi all.
> >
> >Sorry if this has already been answered, but I couldn't find it.
> >
> >I'm looking at using tomcat in a docker container and I was wondering
> >why
> >there isn't a binary distribution that has most / all of the steps
> >already
> >done from the security how to?
> >https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
> >
> >I understand that there wouldn't be a true one size fits all, but I
> >rather
> >than get everyone to try to follow the same basic steps I thought that
> >they
> >would be done upstream in the project.
> >
> >If there's a reason why, I'm curious to learn what it is.
> >
> >I've also opened a ticket with the official docker tomcat image project
> >for
> >a tomcat that has this done.
> >https://github.com/docker-library/tomcat/issues/14
> >
> >Thanks for your time.
> >Jim
>
> Which default settings do you expect to be changed?
>
> Mark



I was thinking the parts from that document that say "should be" or "not
intended for production".
e.g. deleting the default apps, disabling the version number, etc.

I'm somewhat new to TC and was looking for distribution that was closer to
the recommended TC production setup than the default one.

I was assuming that both would be available for download.

Jim

Re: If there a security hardened / production ready binary distribution?

[Mark Thomas <ma...@apache.org>]

On 23 July 2015 15:07:01 CEST, Jim Sellers <ji...@gmail.com> wrote:
>Hi all.
>
>Sorry if this has already been answered, but I couldn't find it.
>
>I'm looking at using tomcat in a docker container and I was wondering
>why
>there isn't a binary distribution that has most / all of the steps
>already
>done from the security how to?
>https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
>
>I understand that there wouldn't be a true one size fits all, but I
>rather
>than get everyone to try to follow the same basic steps I thought that
>they
>would be done upstream in the project.
>
>If there's a reason why, I'm curious to learn what it is.
>
>I've also opened a ticket with the official docker tomcat image project
>for
>a tomcat that has this done.
>https://github.com/docker-library/tomcat/issues/14
>
>Thanks for your time.
>Jim

Which default settings do you expect to be changed?

Mark